AMLEGALSDPDPAVibe Data Privacy
Back to All Guides
foreign investment

Foreign Companies Establishing Data Processing in India

DPDPA Compliance for Market Entry

14 min read15 December 2024
"India's 1.4 billion digital consumers come with data protection obligations. Market entry requires privacy infrastructure."

Foreign companies establishing data processing operations in India, or processing Indian residents' data from abroad, face specific DPDPA compliance requirements. This guide maps the regulatory landscape for market entry.

1Extraterritorial Application of DPDPA

Section 3 extends DPDPA to processing outside India under specific conditions.

  • Offering goods/services to Data Principals in India triggers DPDPA
  • Profiling Data Principals in India triggers DPDPA
  • Mere website accessibility is not sufficient trigger
  • Active targeting (Hindi content, INR pricing, .in domain) indicates offering

2Local Establishment Requirements

DPDPA does not mandate local establishment, but practical considerations exist.

  • No mandatory Data Protection Representative requirement (unlike GDPR)
  • Grievance redressal requires accessible contact for Indian principals
  • Board proceedings may require Indian presence
  • Penalty enforcement may be challenged without local assets
Counsel Advisory

Strategic Consideration: While not legally required, a local entity or representative significantly reduces regulatory and enforcement risk.

3Cross-Border Transfer Framework

Section 16 governs transfers of Indian personal data abroad.

  • Default position: Transfers permitted to all jurisdictions
  • Restriction: Government may notify negative list countries
  • No adequacy decision mechanism (unlike GDPR)
  • Contractual safeguards recommended but not mandated
  • Fiduciary obligations continue post-transfer

Key Takeaways

1

DPDPA applies to foreign companies offering services to Indians

2

No mandatory local representative requirement

3

Cross-border transfers are generally permitted (negative list approach)

4

Grievance mechanism must be accessible to Indian Data Principals

5

Consider local entity for practical enforcement risk mitigation

Statutory References

Section 3 (Extraterritorial Application)Section 16 (Transfer Outside India)Section 13 (Grievance Redressal)Rule 15 (Cross-Border Transfers)

Get in Touch

Get expert guidance tailored to your specific business needs and compliance requirements.

Get in Touch